Bait, Wait, Beat Ransomware
Attackers will always find a way to penetrate your perimeter defenses. If you are ‘lucky’ they will only steal the organization’s compute resources. In other cases, they will cause real damage, fast. Ransomware is becoming a big issue for too many organizations.
We’ve lately been approached by many of our users, asking how they can leverage the Centra security platform to fight ransomware. In this post we will talk about how our deception technology helps contain ransomware and minimize the inflicted damage.
Ransomware is dynamic in nature and changes frequently, making traditional security tools ineffective. Signature based solutions simply can’t keep track while more sophisticated heuristics based solutions can often be detected by the malware and evaded.
When a ransomware infects a machine it starts by enumerating the drives and looking for files to encrypt. It searches the hard drive, mapped shares, and sometimes even goes for accessible resources over the network. Our detection technique uses deceptive lures that reside on machines that require protection. These lures are meant to mislead the ransomware, making it think that it’s just another file.
The instant the ransomware tries to encrypt the lure file an alert is triggered. This way we can detect the ransomware in its early stages, giving us enough time to respond using a number of effective mitigation measures that we’ve developed.
The installation of these deceptive lures is extremely simple and non-intrusive. It can be done using standard deployments tools (e.g. Chef, Puppet, Ansible), GPO in domain based network, or even wmic / startup scripts — no need to run any additional agents.
Once the ransomware has infected your endpoint it is critical to contain the threat as fast as possible. The more time it runs, the closer it gets to your mission critical assets. Our experience shows that using deceptive lures against ransomware gets good results. It has the benefits of detecting zero-day threats and mitigating them in real time. Our ransomware protection is lightweight and easy to deploy and we strongly recommend that you try it out.. Give us a call.
Originally published at www.guardicore.com on June 26, 2016.
